My bank implemented new security questions last night. Here are the questions in their unedited glory (notations in brackets are for part two of the game).
- [A] What is the name of the high school you attended?
- [B] What is the name of the first company you worked for?
- [C] What is the name of the first street you lived on as a child?
- [D] What is the first name of your paternal grandmother (father’s mother)?
- [E] What was your favorite place to visit as a child? (Park, vacation city, etc.)
- [F] What is the first name of your spouse’s mother?
- [G] In what city did you attend high school?
- [H] What year did you graduate from elementary/grade school? (YYYY)
- [I] What is your best friend’s first name?
- [J] What is the profession of your maternal grandfather (mother’s father)?
- [K] What is your mother’s birthday? (MMDD)
- [L] What is your favorite city other than where you live now?
- [M] What is your first child’s middle name?
- [N] What is the first name of your best friend from college?
- [O] What year did you get your first job? (YYYY)
- [P] What is name of the hospital in which you were born?
- [Q] What is your oldest sibling’s birthday? (MMDD)
- [R] In what city was your father born?
- [S] What is the last name of your favorite historical figure?
- [T] What year were you married? (YYYY)
If you’re playing along at home, how many of these questions (of the 21) are “good”? Blah blah blah, determined adversary, but COME ON! This is ridiculous. Schneier is getting an email about this one and maybe he can put a boot to their security officer’s coffee cup and wake him/her up.
Now, for the analysis.
|Vulnerable to public records (first degree):||A,C,G,H,P,T|
|Vulnerable to public records (second degree):||F,J,K,M,Q,R|
|Vulnerable to close friends:||A,C,G,I,N,T|
|Vulnerable to resume:||A,B,G,H,O|
|Vulnerable to guessing*:||H,I,N,L,S|
|Not particularly vulnerable:||E,L,S|
*Vulnerable to Guessing
[H] What year did you graduate from elementary/grade school? (YYYY) Given a person’s age (mostly public record), elementary graduation is easy to deduce within a year or two.
[I] What is your best friend’s first name?
[N] What is the first name of your best friend from college? Top 10 most common male names has a whopping 25% chance of hitting a match.
[L] What is your favorite city other than where you live now? Paris. New York. San Francicso. Los Angeles. Miami. Add in a few others and that’s got to be at least 25% assuming you have no other data (ie: travel records, vacation photos on the web, etc).
[S] What is the last name of your favorite historical figure? Census data last names say 5% chance of hitting within the top 10. But come on. Washington, Lincoln, Franklin, Jefferson (people on money). Throw in a few living presidents and/or dead celebrities and you should be able to improve that percentage as well.
Now in my bank’s defense, some of these negatives could be considered positives. Relying on publicly provable information for a variety of these things means that a person can’t really forget (for example) “In what city was your father born?” And many of the questions don’t have a clear answer, but instead an easy probable 5-20% chance of guessing it correctly per guess.
This wouldn’t be such a problem if there were so few non-public questions, and if they didn’t introduce an entirely new class of vulnerability to security questions by allowing “resume attacks”.
A resume generally has dates and locations. Depending on how old you are, your resume tells where you went to high school, when you graduated, what your first job was, approximately how old you might be. Really quite terrible from the perspective of keeping on top of the security questions.
Something interesting about resumes is that they are a double-edged sword. On one hand you want the widest distribution possible (self-promotion / advertising). On the other hand, you have to disclose a fair amount of information in order to permit people to contact you. My resume has been online for at least as long as this blog, and I’ve always run it as a similar thing to my traditional resume (includes address, phone number, email). Maybe it’s time now to put in “contact me at http://www.robertames.com/contact” and slap up a form.